Re: [mailop] IPv6 addresses for Microsoft Office 365 hosted domains?
Hi, Thanks, Dick and Franck, that URL has some great information. I'm 99% sure that neither Office365 customer turned IPv6 on and off, especially in the same afternoon (that MSDN blog entry notes that the customer has to specifically request it), so I'm guessing that something happened at MSFT that it accidentally turned on for a while for some customers. I was curious about these rules so I set up a test-account and had support enable Inbound IPv6 for it. Took them a few days (and a couple of phone calls, are you really really sure?) but went quite well otherwise. Feel free to write an email to autorespon...@o365.schmidt-it.info . Despite the name I wasn't able to configure the account to return anything useful (i.e. full headers) to the sender, so it doesn't reply at all. You'll need to check your logs for the delivery status. Maybe I'll get to that later this week, but that would have to be done outside of O365. I have done a few tests and for now I do not see any rejects even when there is neither DKIM nor SPF on the sender domain. Hell I don't even see a reject on missing PTR. I also cannot confirm any requirement for SPF/DKIM on Google's side. We send a lot of email to Google over IPv6, most of it is unsigned. We never had any issues with it. The world is not as black/white as that M3AAWG recommendation makes us believe. We don't send a lot of mail to LinkedIn so I cannot say anything about that. From my POV, requiring PTR is good and should be done on IPv4 as well. Requiring DKIM/SPF for IPv6 delivered mail would be a death sentence for IPv6 on MTAs if you do not fully control all outbound mail (think smarthost of a university or ISP). And you cannot easily disable IPv6 to selected destinations. Best Regards, Bernhard Frank -Original Message- From: Dick Visser [mailto:vis...@terena.org] Sent: Thursday, November 27, 2014 1:02 PM To: Frank Bulk Cc: mai...@mailop.org; IPv6 operators forum Subject: Re: IPv6 addresses for Microsoft Office 365 hosted domains? On a related note, I'm in the process of setting up mail for our new domain, and Office365 was one of the options. I was surprised to see that Office 365 hosted domains have only one MX, which resolves to only two IPv4 addresses: visser@cajones:~$ host geant-org.mail.protection.outlook.com. geant-org.mail.protection.outlook.com has address 213.199.154.87 geant-org.mail.protection.outlook.com has address 213.199.154.23 Both sit in the same network, which seems like a bad idea. Unless this is anycast? Can't tell from here. However, MS seems to have changed things recently: http://blogs.msdn.com/b/tzink/archive/2014/10/28/support-for-anonymous-inbound-email-over-ipv6-in-office-365.aspx Better late than never. The alternative for e-mail is Google Apps, which has IPv6 for years. Dick On 27 November 2014 at 03:00, Frank Bulk frnk...@iname.com wrote: This afternoon I saw several log messages in our email server's logs in relation to emails our local business customer (who uses our ISP email server) was trying to send to a Microsoft Office 365 hosted domain: [:::12.43.166.xx] Site target domain redacted (2a01:111:f400:7c0c::11) said after data sent: 554 5.7.1 Service unavailable, message sent over IPv6 [2607:fe28:0:4000::10] must pass SPF or DKIM validation (message not signed) The PTR for 2a01:111:f400:7c0c::11 is mail-by26c0c.inbound.protection.outlook.com. But when I check the MX record of the target domain I see there's no for the redacted.mail.eo.outlook.com, just three A's. Fortunately we control our local business customer's DNS and I've added in our email server's DKIM so that future emails, if they were sent over IPv6, should be accepted by Microsoft. Our customer has no SPF record. I also saw two log messages for two Microsoft Office 365 hosted domains: 26 13:30:59.00 [56882563] Failed :::199.120.69.25 notification+kyg2k...@facebookmail.com target domain1 email redacted 9259 1502549920004098-1497189607206...@groups.facebook.com [:::199.120.69.25] ubad=0, Site (target domain1 redacted/2a01:111:f400:7c10::1:10) said: 550 5.2.1 Service Unavailable, [target domain1 redacted] does not accept email over IPv6 26 19:04:52.00 [83985160] Failed :::12.43.166.20 from redacted target domain2 email redacted 6546 0EBCBB96763E41B2A4CD9A4CD3DD94BE@sp.local [:::12.43.166.20] ubad=1, Site (target domain2 email redacted/2a01:111:f400:7c0c::11) said: 550 5.2.1 Service Unavailable, [target domain2 email redacted] does not accept email over IPv6 There's no PTR for 2a01:111:f400:7c10::1:10. I checked the last 7 days of logs I only saw these today. It's like Microsoft published some 's for some MX records, but then withdrew them, but not before there were a few failures. Frank smime.p7s Description: S/MIME Cryptographic Signature
RE: [mailop] IPv6 addresses for Microsoft Office 365 hosted domains?
Bernhard, Thanks for sharing your experience. You may have been able to send email to Google for some days from your IPv6 host without a PTR, but I think that would only go on for a short time. Have you tried sending to Comcast? From an ISP perspective, adding in an SPF (or equivalent TXT) record for the IPv6 space of your ISP mail server would not be a hard thing to do. While not all email servers support DKIM, all DNS servers support TXT records. Frank -Original Message- From: Bernhard Schmidt [mailto:bernhard.schm...@lrz.de] Sent: Monday, December 15, 2014 3:53 AM To: Frank Bulk; 'Dick Visser'; 'Franck Martin' Cc: mai...@mailop.org; IPv6 operators forum Subject: Re: [mailop] IPv6 addresses for Microsoft Office 365 hosted domains? Hi, Thanks, Dick and Franck, that URL has some great information. I'm 99% sure that neither Office365 customer turned IPv6 on and off, especially in the same afternoon (that MSDN blog entry notes that the customer has to specifically request it), so I'm guessing that something happened at MSFT that it accidentally turned on for a while for some customers. I was curious about these rules so I set up a test-account and had support enable Inbound IPv6 for it. Took them a few days (and a couple of phone calls, are you really really sure?) but went quite well otherwise. Feel free to write an email to autorespon...@o365.schmidt-it.info . Despite the name I wasn't able to configure the account to return anything useful (i.e. full headers) to the sender, so it doesn't reply at all. You'll need to check your logs for the delivery status. Maybe I'll get to that later this week, but that would have to be done outside of O365. I have done a few tests and for now I do not see any rejects even when there is neither DKIM nor SPF on the sender domain. Hell I don't even see a reject on missing PTR. I also cannot confirm any requirement for SPF/DKIM on Google's side. We send a lot of email to Google over IPv6, most of it is unsigned. We never had any issues with it. The world is not as black/white as that M3AAWG recommendation makes us believe. We don't send a lot of mail to LinkedIn so I cannot say anything about that. From my POV, requiring PTR is good and should be done on IPv4 as well. Requiring DKIM/SPF for IPv6 delivered mail would be a death sentence for IPv6 on MTAs if you do not fully control all outbound mail (think smarthost of a university or ISP). And you cannot easily disable IPv6 to selected destinations. Best Regards, Bernhard Frank -Original Message- From: Dick Visser [mailto:vis...@terena.org] Sent: Thursday, November 27, 2014 1:02 PM To: Frank Bulk Cc: mai...@mailop.org; IPv6 operators forum Subject: Re: IPv6 addresses for Microsoft Office 365 hosted domains? On a related note, I'm in the process of setting up mail for our new domain, and Office365 was one of the options. I was surprised to see that Office 365 hosted domains have only one MX, which resolves to only two IPv4 addresses: visser@cajones:~$ host geant-org.mail.protection.outlook.com. geant-org.mail.protection.outlook.com has address 213.199.154.87 geant-org.mail.protection.outlook.com has address 213.199.154.23 Both sit in the same network, which seems like a bad idea. Unless this is anycast? Can't tell from here. However, MS seems to have changed things recently: http://blogs.msdn.com/b/tzink/archive/2014/10/28/support-for-anonymous-inbound-email-over-ipv6-in-office-365.aspx Better late than never. The alternative for e-mail is Google Apps, which has IPv6 for years. Dick On 27 November 2014 at 03:00, Frank Bulk frnk...@iname.com wrote: This afternoon I saw several log messages in our email server's logs in relation to emails our local business customer (who uses our ISP email server) was trying to send to a Microsoft Office 365 hosted domain: [:::12.43.166.xx] Site target domain redacted (2a01:111:f400:7c0c::11) said after data sent: 554 5.7.1 Service unavailable, message sent over IPv6 [2607:fe28:0:4000::10] must pass SPF or DKIM validation (message not signed) The PTR for 2a01:111:f400:7c0c::11 is mail-by26c0c.inbound.protection.outlook.com. But when I check the MX record of the target domain I see there's no for the redacted.mail.eo.outlook.com, just three A's. Fortunately we control our local business customer's DNS and I've added in our email server's DKIM so that future emails, if they were sent over IPv6, should be accepted by Microsoft. Our customer has no SPF record. I also saw two log messages for two Microsoft Office 365 hosted domains: 26 13:30:59.00 [56882563] Failed :::199.120.69.25 notification+kyg2k...@facebookmail.com target domain1 email redacted 9259 1502549920004098-1497189607206...@groups.facebook.com [:::199.120.69.25] ubad=0, Site (target domain1 redacted/2a01:111:f400:7c10::1:10) said: 550 5.2.1 Service Unavailable, [target domain1
Re: [mailop] IPv6 addresses for Microsoft Office 365 hosted domains?
On Nov 26, 2014, at 6:00 PM, Frank Bulk frnk...@iname.com wrote: This afternoon I saw several log messages in our email server's logs in relation to emails our local business customer (who uses our ISP email server) was trying to send to a Microsoft Office 365 hosted domain: [:::12.43.166.xx] Site target domain redacted (2a01:111:f400:7c0c::11) said after data sent: 554 5.7.1 Service unavailable, message sent over IPv6 [2607:fe28:0:4000::10] must pass SPF or DKIM validation (message not signed)” It is all explained here: http://blogs.msdn.com/b/tzink/archive/2014/10/28/support-for-anonymous-inbound-email-over-ipv6-in-office-365.aspx Note, there are now 3 IPv6 receivers that requires DKIM or SPF for email over IPv6: Google, Microsoft and Linkedin. It is a M3AAWG BCP. http://engineering.linkedin.com/email/sending-and-receiving-emails-over-ipv6 https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf signature.asc Description: Message signed with OpenPGP using GPGMail